Wiping unused space in a file system
August 23rd, 2006 by Samuel TardieuA perverse hacker friend of mine has written a clever yet scaring Windows utility. Each time a USB key is inserted into his computer, the whole content of the key is silently dumped and stored on the machine. It doesn’t copy the existing files; it makes an image of the key.
After that, when the unsuspecting person has gone away, he can run various utilities such as undeletion tools or recoverjpeg and retrieve files that were previously deleted from the key. Doing so, he was able to get confidential documents, job offers, cracked software, music and pictures that their owner thought they had been deleted.
My friend is probably not the first one to have had this idea, however he is the first one who told me about it. Since then, I have discovered at least one other implementation of it, called USBdumper.
Being able to recover deleted files is nothing new. But silently dumping the content of a USB key is clever. I won’t discuss the legal, moral and ethical implications here, I want to focus on ways to protect one’s deleted data from being recovered by a casual attacker, that is one who only temporarily gains access to the device. Also, if you delete a file without using this utility, you have no way to wipe it afterwards, especially if some blocks have been reused in the meantime.
Wiping utilities have existed for a long time. They write random data over an existing file before deleting it. This way, the previous content of the file cannot be recovered. However, when using journaling file systems, there is no guarantee that the data will really be erased; it could still be at another place on the disk.
What we need is a tool that wipes all the unused blocks in a file system. This tool would probably have to run in kernel space to avoid race conditions if the computer is accessing the file system at the same time. To avoid writing needlessly and repeatedly on a device which might tear off, such a tool should first read those unallocated block and write them back only if they do not contain a recognizable pattern (such as all zeroes). Remember that we are not interested here in fighting post-mortem analysis using dedicated forensics tools to analyze the disk surface or some flash memory characteristics, we want to protect data from being recovered using a regular computer.
It would also be useful to have an option at mount time to erase the data being unallocated in a file system. Every time the operating system woud mark a previously used block as free on the disk, it would also erase its content with the same pattern. This would make deleting files slow and accidental mistakes would not be forgiving anymore, but in some environments it would make the system much more secure. To give only one example, on a server, this would prevent an attacker gaining remote root access from accessing the content of previously deleted emails. I would certainly use it.
August 23rd, 2006 at 11:36
Sam, there is a trivially simple solution to your problem.
“a tool that wipes all the unused blocks in a file system”…
In layman words that just means filling a disk. Don’t tell me you really have no idea how to do that? And it’s filesystem-agnostic, too.
The only slight remaining problem might be wiping deleted directories entries, but nothing that a small script can’t solve (on Unix you just have to delete and recreate the directory by mv’ing files around).
August 23rd, 2006 at 11:40
Pierre : do that each time you mount your USB key, and you’ll see its lifetime expectancy decrease very rapidly. Moreover, by doing so you will disturb regular file system operations as you will fill all the available space. The tool I need would not modify at any moment the quantity of free space on a file system and could be used at any time (think daily cron job on a server).
August 23rd, 2006 at 12:21
Decrease life expectancy: I doubt you’ll wipe your USB key every time you use it, and if you do it on the fly, you’ll write over each deleted file, which will also harm it a lot.
Disturb regular filesystem operations (by filling): true, but it’s less relevant on a USB key than on a server or fixed disk filesystem.
So I think you are trying to tackle two very different problems, really: one for removable media, infrequent use, where wiping can be done on the unmounted media if need be (beginning of your post); one for fixed media, permanent use, where wiping has be done on the fly or at least frequently and while the filesystem is mounted (end of your post).
August 25th, 2006 at 14:42
I use the open source “Eraser” program and have for quite a while. It regularly zeroes both unused clusters and slack space at the ends of files. I schedule a nightly run.
I also keep all my data on portable storage devices in truecrypt volumes, so if it’s stolen I lose the device only, not control of the data.
August 25th, 2006 at 14:45
John: unfortunately, Eraser is only available for Windows at this time. Porting it under another operating system would be very difficult on a mounted volume. As far as encrypted volumes are concerned, there is no portable solution that I know to reread them under any operating system while a FAT volume is accessible from anywhere.
August 25th, 2006 at 14:46
If you’re going to wipe flash memory, wipe it to all FFs rather than 00s. Flash memory needs to be “cleared” to “FF” before writing anyway, so if you write FFs to the unused sectors, you’ve just prepped them for writing; the onboard controller would have had to write FFs there before writing to it anyway, so effectively you have NOT decreased the flash memory’s lifespan.
I’m not sure if this is true of all flavors of flash but it used to be true. Maybe someone with more knowledge will pipe up.
August 25th, 2006 at 14:52
John: excellent remark about flash block erasure; the flash chips I usually work with in embedded systems work as you describe.
August 25th, 2006 at 17:54
[...] A program called USBDumper can do just that. You install the software on a PC and as soon as someone plugs in their USB flash drive, it quietly copies all the files off it. You can take this a step further and get the program to do a complete image of the drive , which would allow deleted files to be recovered and viewed. [...]
August 31st, 2006 at 17:52
[...] USBDumper je malá utilitka, která potichu zkopíruje obsah vloženého USB disku na PC. Myšlenka použití spočívá v nainstalování této utilitky na nějaký například veřejný počítač a pak sbírat data z vložených klíčenek. Diskusi k této problematice lze nalézt na tomto blogu. USBdumper lze stáhnout přímo zde. [...]
September 4th, 2006 at 18:16
“Wiping unused space in a file system”
I usually make use of the product that I own. For me this is StompSoft’s Digital File Shredder Pro (http://www.stompsoft.com/fileshredder.html) which has a option to clean free space on your hard drive and can be scheduled to occur when ever you want, which for me is usually on a weekly basis. As far as the USBdumper or similar app working on my USB drives whoever tries to do this is going to have to break my encryption first otherwise there will be nothing to see
September 6th, 2006 at 6:51
Sam, you can have a look at the following url : http://www.theregister.co.uk/2002/11/21/data_security_for_linux_power/
September 15th, 2006 at 17:22
Windows 2000/XP/2003 comes installed with a utility, part of EFS, which will wipe a drive. The ‘cipher’ utility writes zeroes, ones, and random data (one pass of each) over the disk. To wipe E:, for example, “cipher /w:e:”
I regularly transfer sensitive documents to clients using a thumbdrive - and I make sure it gets wiped between clients so that there’s no leakage of information from one client to another.
More info available here: http://www.microsoft.com/technet/Security/tools/cipherfaq.mspx
(Under Linux, ‘dd if=/dev/urandom of=/mnt/usb’ a couple of times does the trick.)
February 22nd, 2007 at 9:36
Some people have been writing utilities that silently dump the content of any USB key as soon as they are inserted into their computer. Then using undeletion tools, they can gain access to your private documents that you thought had been erased.
April 4th, 2007 at 12:19
This is great idea.
This idea can be use to hide information to … file system must be separated in flash drive and hard drive.
June 28th, 2007 at 13:37
I regularly using a flash drive on my notebook, I think this http://www.myusbonly.com may works for you too!
December 6th, 2007 at 7:36
[...] them personal and confidential — from anyone who plugs their USB drive into that computer. (This blog post talks about a version that downloads a disk image, allowing someone to recover deleted files as [...]
July 27th, 2008 at 21:00
Wow, what a sly guy this is trying to get personal info from people. A lot of apps that were created for harm can be used for the good as well. I think this is one of them. I guess the key is to not have friends that would do this to you
- and not to let people just stick in their USB device into your computer.